Turning Data into Threat Intelligence: A Case Study

Most Threat Intelligence…Isn’t

While data is potentially useful, until some process is applied that turns raw data into something useable, it’s not intelligence. Intelligence comes from human analysts who have reviewed this information for context.

Defining Threat Intelligence

There’s a difference between data and information, and information and intelligence. If information is readable and interesting but doesn’t apply to the security professional and their business objective, then it’s not relevant and it’s not intelligence. Threat intelligence must be relevant, actionable, and valuable.

The Analyst’s Task

The cyber analyst’s job falls into the following categories: watch the horizon, watch the doors, and find out what happened after an incident. All of this comes amidst an ever-expanding set of online languages, formats, and sources to worry about.

Case Study

When investigating a scenario like the one above, there are several points to keep in mind:

Providing context around a domain name

Level of potential risk

What next steps should be taken

What should be communicated to management

Using a Cyber Threat Center

Using our Cyber Threat Center, for instance, analysts can utilize three main components: client intelligence, global intelligence, and the Analyst’s Toolbox. We’ll be focusing on the Analyst’s Toolbox, which provides the tools for just this kind of investigation. The toolbox includes a database of about 200 million domain names; information on malware, phishing, and malicious URLs; and ISP geo-location.

Since this was a Phishing Attack, We Start with the Phishing Database

In this instance, the target search returned 219 matches, beginning in 209–these are documented cases on phishing on this same domain. If we take these matches and filter them by target, we see they comprise a broad range of industries, countries, and languages.

In Less than Five Minutes, We Learned the Following

But More Data Isn’t Always Better

A key to being an analyst is knowing when you have enough information or if there isn’t anything valuable available. You need enough information to allow a decision to be made. There are other lines of inquiry you may wish to explore, such as malware history, linkages and contacts, and third-party corroboration.

We Now Have Plenty of Data. Let’s Create Intelligence

..and here’s what we’d conclude:

And Finally, You Can Make Some Recommendations

If you’d like to watch the webinar in its entirety, it’s available on demand here.